mIRC v5.5 (32-bit) - Tutorial

"Algorithms using tables are perhaps the next step protectionists take away from the banal "sum the user name ASCII, do arithmetic" types of scheme. In this good tutorial flag eRRatum lays out the protectionist code with an explanation of the first part of the algorithm, he also (unlike many other crackers) finishes the job by writing a key generator. SoftICE knowledge is assumed. I should like to add that mIRC's author is perhaps another rare person you should consider supporting". "Essay edited by CrackZ".

http://www.mirc.co.uk - Webpage (approx. 1Mb).

Welcome to my first little tutorial in English!, OK, of course you know mIRC right? it's a great IRC client for any of you IRC-demon's. The previous version of this software (5.4) has been cracked succesfully by my friend h3n, but I wanted to take a deeper look into the programs algorithm so I could create a simple key generator, (your reference is the source code below in Pascal).

Firstly, I attacked this version (5.5) via MessageBoxA, scroll up a little bit until you see the call to SendMessageA, 2 parameters got pushed (Dump the memory around these areas and you'll your username and bogus serial), a call, and a simple conditional jump, well this certainly looked like a serial routine in my eyes :).

F8 into the call, then try to understand the first few lines of code, first mIRC checks whether your serial contains 2D(h), of course you know that is a "-", then it converts the first part of serial (before the -) into an integer, storing it in [EBP-4], the second part (after the -) is also converted into an integer, stored at [EBP-8]! easy eh ? :). Trace a little bit more and reach this UserName --> Real Serial Routine.

:004921ED MOV [EBP-0C],EAX
:004921F0 XOR EAX,EAX
:004921F2 XOR EBX,EBX
:004921F4 MOV EDX,00000003
:004921F9 MOV ECX,[EBP+08] --> ECX points to our UserName (1st char).
:004921FC ADD ECX,03 --> ECX points to our UserName (4rth char).
:004921FF CMP EDX,[EBP-0C] --> EDX = 3, [EBP-0C] = UserName length.
:00492202 JGE 00492220 --> UserName length less than 3 = bad.

:00492204 MOVZX ESI,BYTE PTR [ECX] --> 4,5,6,... of UserName.
:00492207 IMUL ESI,[EAX*4+004D0160] --> EAX=0, 004D0160 is a table.
:0049220F ADD EBX,ESI --> Keep it in EBX.
:00492211 INC EAX
:00492212 CMP EAX,26 --> EAX more than 26h?.
:00492215 JLE 00492219
:00492217 XOR EAX,EAX --> Then 0 EAX.
:00492219 INC EDX
:0049221A INC ECX
:0049221B CMP EDX,[EBP-0C]
:0049221E JL 00492304
:00492220 CMP EBX,[EBP-04] --> Remember EBX ?, it's compared with bogus code part 1.

:00492223 JZ 00492229
:00492225 XOR EAX,EAX
:00492227 JMP 0049226E
:00492229 XOR EAX,EAX
:0049222B XOR EBX,EBX
:0049222D MOV EDX,00000003
:00492232 MOV ECX,[EBP+08]
:00492235 ADD ECX,03
:00492238 CMP EDX,[EBP-0C]
:0049223B JGE 00492260
:0049223D MOVZX ESI,BYTE PTR [ECX]
:00492240 MOVZX EDI,BYTE PTR [ECX-01]
:00492244 IMUL ESI,EDI
:00492247 IMUL ESI,[EAX*4+004D0160]
:0049224F ADD EBX,ESI
:00492251 INC EAX
:00492252 CMP EAX,26
:00492255 JLE 00492259
:00492257 XOR EAX,EAX
:00492259 INC EDX
:0049225A INC ECX
:0049225B CMP EDX,[EBP-0C]
:0049225E JL 0049233D
:00492260 CMP EBX,[EBP-08] --> EBX compared with bogus code part 2.

:00492263 JZ 00492269 <-- Jump good.
:00492265 XOR EAX,EAX <-- Clear EAX = bad.
:00492267 JMP 0049226E
:00492269 MOV EAX,00000001 <-- Move good flag.
:00492274 RET 0008

Well, I'm not going to explain the second part of the serial number algorithm because it's almost the same as the first, (with a little variation). Before I forget, here is the table at 4D0160 : (Tip: Use a memory dumper to get this, you also don't need the last 20h - CrackZ). 

0167:004D0160 0B 00 00 00 06 00 00 00-11 00 00 00 0C 00 00 00  ................
0167:004D0170 0C 00 00 00 0E 00 00 00-05 00 00 00 0C 00 00 00  ................
0167:004D0180 10 00 00 00 0A 00 00 00-0B 00 00 00 06 00 00 00  ................
0167:004D0190 0E 00 00 00 0E 00 00 00-04 00 00 00 0B 00 00 00  ................
0167:004D01A0 06 00 00 00 0E 00 00 00-0E 00 00 00 04 00 00 00  ................
0167:004D01B0 0B 00 00 00 09 00 00 00-0C 00 00 00 0B 00 00 00  ................
0167:004D01C0 0A 00 00 00 08 00 00 00-0A 00 00 00 0A 00 00 00  ................
0167:004D01D0 10 00 00 00 08 00 00 00-04 00 00 00 06 00 00 00  ................
0167:004D01E0 0A 00 00 00 0C 00 00 00-10 00 00 00 08 00 00 00  ................
0167:004D01F0 0A 00 00 00 04 00 00 00-10 00 00 00 00 00 00 00  ................
0167:004D0200 00 00 00 00 53 6F 66 74-77 61 72 65 5C 6D 49 52  ....Software\mIR
0167:004D0210 43 00 00 6D 49 52 43 00-00 6E 61 6D 65 00 00 63  C..mIRC..name..c
After understanding the routine, I believe mIRC is a good "beginner" introduction to tables. You can examine the keygen I created in Pascal.

mIRC v5.5 Pascal Key Generator

Tutorial Author: flag eRRatum.

You have finished reading another tutorial courtesy of CrackZ's Reverse Engineering Page.
Find a quick way back to more documents with this link.

Return to Main Index, Key Generators.

© 1999 Hosted by CrackZ. flag eRRatum, 3rd March 1999.